With the prevalence of network, incidents of network intrusions and hacker attacks are also increasing. In this case, Intrusion Detection System (IDS) and Intrusion Protection System (IPS) emerge as the times require. The major principle for the operation of these systems is to render data streams in the network from received data packets, and then generally to check whether features of an attack exist in the rendered data streams in light of a feature matching approach. At the same time, some statistic approaches may also adopted for detecting attacks such as port scanning.
As IDS/IPS analyzes the rendered data streams according to predetermined rules and detection modes, IDS/IPS has the advantage of being accurate with the detection results. However, traditional IDS/IPS has some inherent shortcomings. Firstly, since IDS/IPS needs to render data streams from the received data packets (i.e., the so-called packet inside detection), the performance of these systems is often limited by the packet inside detect process. When IDS/IPS is operated in an environment of large network traffic, the limitation to the performance becomes more obvious. Secondly, given the fact that the predetermined rules and detection modes in IDS/IPS need to be updated for detecting all kinds of intrusion modes and measure that newly appear in the current network, and new intrusion modes and measures emerge increasingly rapidly with the increasing prevalence of various kinds of new networks, such as Social Network Site (SNS) and P2P network, traditional IDS/IPS has the disadvantage of relatively slow update. A further inherent disadvantage of traditional IDS/IPS lies in that due to the packet inside detection of the data packets, traditional IDS/IPS cannot detect data packets with encrypted content, and thereby cannot analyze data streams comprising encrypted content. Since the new generation of IP transmission protocol IPV6 generally encrypts the data, it is difficult for the current IDS/IPS to be applied to networks based on IPV6.
Therefore, what is desired is an abnormal traffic analysis apparatus and method which can be used in IDS/IPS and which can overcome the above disadvantages of traditional IDS/IPS. Besides, the abnormal traffic analysis apparatus and method can be well applied to networks based on IPV6.